GS1900-24E and have a question about VLANs
Hello, I've got a GS1900-24E and have a question about VLANs
On port 2 and 3 I am aggregating as LAN (coming from pfsense LAN aggregated)
port 4 and 5 run hypervisors with dhcp for ports 7 to 24
ports 7 to 24 (except 6) need to see and use port 2+3+4+5
The (web) management interface must work on all ports except port 6
Is this possible? do I need PVID?
Do I need to to configure the aggregated port 2+3 as upstream anywhere?
Can I assign more then one VLAN for port 2+3?
Assumptions:
Port 2-3 VLAN 10+20 and PVID 10+20
Port 6 VLAN 10 and PVID 10
Port 4-24 (except 6) VLAN 20 and PVID 20
Or am I missing something?
On port 2 and 3 I am aggregating as LAN (coming from pfsense LAN aggregated)
port 4 and 5 run hypervisors with dhcp for ports 7 to 24
ports 7 to 24 (except 6) need to see and use port 2+3+4+5
The (web) management interface must work on all ports except port 6
Port 6 (fixed ip) needs to be in his own VLAN but be able to use port 2+3
Do I need to to configure the aggregated port 2+3 as upstream anywhere?
Can I assign more then one VLAN for port 2+3?
Assumptions:
Port 2-3 VLAN 10+20 and PVID 10+20
Port 6 VLAN 10 and PVID 10
Port 4-24 (except 6) VLAN 20 and PVID 20
Or am I missing something?
0
All Replies
-
Hi @itpp21,
Welcome to Zyxel Community.
I will answer your question one by one.port 4 and 5 run hypervisors with dhcp for ports 7 to 24
Do port 4 and 5 connect to the same device? if so, it should configure link-aggression as well.
It's doable, but a port is only to allow one PVID. You may only tagged VLAN 10&20 for port 2-3(LAG) andPort 2-3 VLAN 10+20 and PVID 10+20
pfsense LAN ports should also tagged VLAN 10&20 on LAG.
It's doable, you may use guest vlan for VLAN 6 to fulfill this demand.Port 6 VLAN 10 and PVID 10
(Port 6 (fixed ip) needs to be in his own VLAN but be able to use port 2+3)
yes, doable.Port 4-24 (except 6) VLAN 20 and PVID 20
Please let us know if you have any concern.Adam
0 -
Hi Adam,
> Do port 4 and 5 connect to the same device? if so, it should configure link-aggression as well.
No, port 4 and 5 service different purposes.
> but a port is only to allow one PVID
Using PVID next to VLAN assignments is based on a remark that vlan(tagged) unaware devices need a PVID set on the port.
If such devices can not brake out of a VLAN the PVID is not needed.
It would then become;
Port 2+3 (LAG) tagged VLAN 10+20 (mirrored on pfsense LAG side)
Port 6 tagged VLAN 10 (can see and use port 2+3 via VLAN 10)
Port 4-24 (except 6) tagged VLAN 20 (can see and use port 4-24 except 6 via VLAN 20)
Some questions remain;
> The (web) management interface must work on all ports except port 6
I am assuming this is the case, if not please inform how this can be done (I have read the manual but can't find this).
> Do I need to configure the aggregated port 2+3 as upstream anywhere?
I am assuming if the gateway configured is presented on 2+3(LAG) the switch will mark these LAG ports as upstream.
0 -
@itpp21,
Thanks for your update.
Regarding your question:
Since you will configure VLAN 20 for port 2-24(except 6), configure a management IP in VLAN 20 should be no problem for your need.> The (web) management interface must work on all ports except port 6
I am assuming this is the case, if not please inform how this can be done (I have read the manual but can't find this).
You may need to configure default-gateway of GS1900 switch to the IP address of pfsense.> Do I need to configure the aggregated port 2+3 as upstream anywhere?I am assuming if the gateway configured is presented on 2+3(LAG) the switch will mark these LAG ports as upstream.Adam
0 -
This works, though might not be as it should be configured, here it does the job (isolation port 6)Vlan config ->Goto ports ->Set port 6 to a different vlan(port 2 and 3 are LAG1)Goto Vlan Port ->Untag LAG1 for Vlan 10 (allow port 6 on vlan 10 to access LAN2WAN gateway)This works but I am open for improvements.0
-
@itpp21,Port 2+3 (LAG) tagged VLAN 10+20 (mirrored on pfsense LAG side)
(You are using untagged for VLAN 10 only)
Adam
0 -
Thats because you can't en-mass change vlan 1 to anything else as there are two places that needs changing and when one or the other is changed you loose (web) access (they need to be changed at the same time) so in my case VLAN 1 remained 1 instead of 20. Other segments will use 20 and higher after the 1900 is put into production.
0 -
-
The way I've done it sounds like untag multiple vlans to multiple ports instead of assigning multiple tagged vlans to a port, which seems to work as intended (block traffic between vlans and allow one vlan to be shared), where one question remains: does this make sense?
0 -
@itpp21
I would say there is no reason to determine if your configuration or topology is making sense or not when settings are workable for you. It all depends on how you gonna configure devices to fulfill your demands.
My question for you is does your pfsence a firewall? If so, I suggest you to change LAG1 to tagged and also allow vlan 10 on pfsence. Your LAG1 (port2&3) is untagged now, so it only allows VLAN 10 to your pfsence. However, if you are not planing to put other switch behinds this GS1900-24E, which other switch may assign different VLAN such as 20 or 30, you will not have to change it.
Let me know if you have any concern.
Adam
0 -
pfSense is indeed a firewall.I've taken the 1900 in to production yesterday early and so far all good.For LAG1 it defaults to VLAN 1 and has 10 added so serving 2 vlans.The are no other switches in use, services are clustered to a port on the 1900 and then assigned a vlan when required, this vlan is then added as allow on LAG1 if internet is needed, if not it is added as allow on a port for inter-service communication, this works fine from an isolation point of view.Next month I'll switch on (plug in second cable) LA on LAG1 and the sg-5100, in testing this worked as designed.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight